802.1x Feature Overview and Configuration Guide
Transcription
802.1x Feature Overview and Configuration Guide
Technical Guide 802.1x FEATURE OVERVIEW AND CONFIGURATION GUIDE Introduction 802.1x is an IEEE standard providing a mechanism for authenticating devices attached to a LAN port or wireless device. Devices wishing to access services behind a port must authenticate themselves before any Ethernet packets are allowed to pass through. The protocol is referred to as 802.1x because it was initially defined in the IEEE standard 802.1x, published in 2001 and revised in 2004 and again as the current 802.1x 2010 standard. Networks have two important requirements: Security: Authentication and Authorization Flexibility: The ability for users to roam Networks need a device authentication method that is highly secure, but not tied to a port’s physical location. Network resources presented to a given user need to be determined from their authentication credentials. 802.1x user authentication satisfies these requirements. It is relatively uncomplicated and has little impact on network performance. It is a protocol that is medium-independent —being equally as effective on wireless connections (802.11i) and wired connections. 802.1x user authentication is rapidly becoming an expected component on networks. C613-22005-00 REV A alliedtelesis.com x Introduction Products and software version that apply to this guide This Guide applies to all AlliedWare Plus products, running version 5.4.4 or later. Feature support may change in later software versions. For the latest information, see the following documents: The product’s Datasheet The AlliedWare Plus Datasheet The product’s Command Reference These documents are available from the above links on our website at alliedtelesis.com. Content Introduction.............................................................................................................................................................................1 Products and software version that apply to this guide .......................................................................2 802.1x System Components.........................................................................................................................................3 802.1x component protocols..............................................................................................................................3 Example message sequence .................................................................................................................................5 Basic Steps in 802.1x Configuration..........................................................................................................................6 Multi-supplicant modes............................................................................................................................................6 Single supplicant...........................................................................................................................................................7 Multi-host.........................................................................................................................................................................7 802.1x VLAN Assignment ...............................................................................................................................................8 Dynamic VLAN assignment...................................................................................................................................8 802.1x Configuration Example.....................................................................................................................................9 Dynamic VLAN assignment with multiple supplicants........................................................................ 11 Using a guest VLAN................................................................................................................................................ 13 Verify the operation of 802.1x.................................................................................................................................. 14 Names of commands used ................................................................................................................................ 15 Page 2 | 802.1x 802.1x System Components 802.1x System Components There are three main components to a system using 802.1x port authentication control: Authenticator: the device that wishes to enforce authentication before allowing access to services that are accessible behind it. An example of this is a switch that has 802.1x port authentication control enabled. Supplicant: the client that wishes to access services offered by the authenticator’s system. An example of this is a Windows XP Professional PC with an 802.1x client. Authentication server: the device that uses the authentication credentials supplied by the supplicant, to determine if the authenticator should grant access to its services. The AlliedWare Plus implementation of 802.1x supports the use of a RADIUS. authentication server using Extensible Authentication Protocol (EAP) in conjunction with RADIUS. Figure 1: 802.1x system components RADIUS Server Authentication Server Switch Authenticator Supplicants 802.1x component protocols There are two protocols involved in the authentication conversation: 1. EAPoL exchanged between the supplicant and authenticator. 2. EAPoL—Extensible Authentication Protocol over LAN— is the protocol defined in IEEE802.1x. RADIUS exchanged between the authenticator and authentication server. RADIUS has received specific extensions to interoperate with EAPoL. 802.1x | Page 3 802.1x System Components The diagram below illustrates where EAPoL and RADIUS protocols are used in the authentication conversation: Figure 2: 801.X component protocols RADIUS RADIUS Server EAPoL Authentication Server Switch Authenticator Supplicants Table 1: Basic steps in an 802.1x conversation Page 4 | 802.1x STEP ACTION 1 The supplicant informs the authenticator that it wants to initiate the conversation. 2 The authenticator requests the supplicant's credentials. 3 The supplicant sends username/password or X.509 certificate. 4 The authenticator wraps the supplicant's reply into a RADIUS packet and sends it to the RADIUS server. 5 The RADIUS server chooses an authentication method, and sends an appropriate request to the supplicant as a ‘challenge’. 6 The RADIUS server and supplicant exchange some messages, ferried by the authenticator. 7 The RADIUS server eventually decides if the supplicant is allowed access and the RADIUS server sends an Access-Accept or Access-Reject message to the Authenticator. 8 The authenticator sends an EAPoL-Success or EAPoL-Fail to the supplicant. 9 The supplicant has a session using the network (if accepted). 10 When the session is over, the supplicant sends a log-off message. 802.1x System Components Example message sequence The diagram below illustrates an exchange using the EAP-MD5 authentication method, which is the simplest authentication method supported by 802.1x. The EAPoL log-off message, of course, is not sent immediately after the other messages in the diagram, but is sent later on, at the end of the supplicant’s data session, when it wishes to disconnect from the network.The EAPoL log-off message, of course, is not sent immediately after the other messages in the diagram, but is sent later on, at the end of the supplicant’s data session, when it wishes to disconnect from the network. Figure 3: EAPoL message sequence Supplicant EAPOL conversation between supplicant and switch. Authentication Server (RADIUS server) Authenticator 1 EAPOL-Start EAP-Request/Identity 2 3 EAP-Response/Identity (MyID) 4 EAP-Request-Challenge (MD5) Radius-Access-Request Radius-Access-Challenge 6 EAP-Response-Challenge (MD5) Radius-Access-Request 6 EAP-Request Radius-Access-Challenge Radius-Access-Accept Authentication success EAP-Success 8 Authentication fail EAP-Fail 8 Port authorized Radius-Access-Reject 10 EAPOL-Logoff RADIUS conversation between switch and RADIUS server. 7 7 Port unauthorized Data Session Authentication terminated 5 9 Port unauthorized 802.1x | Page 5 Basic Steps in 802.1x Configuration Basic Steps in 802.1x Configuration To configure the switch operating as authenticator, follow the instructions below: Figure 4: Configuring 802.1x basic steps 192.168.1.250 RADIUS Server 192.168.1.45 Authentication Server port1.0.5 Switch Authenticator Supplicant Step 1: Configure a RADIUS server for the switch to send requests to awplus(config)# radius-server host 192.168.1.250 key <secret-key> Step 2: Instruct 802.1x to use the configured RADIUS server awplus(config)# aaa authentication dot1x default group radius Step 3: Configure port1.0.5 for 802.1x authentication awplus(config)# interface port1.0.5 awplus(config-if)# dot1x port-control auto awplus(config-if)# spanning-tree portfast Multi-supplicant modes AlliedWare Plus can be configured to accept one or more supplicants downstream of a port. Three authentication host-modes are available: single-supplicant: the default state, only one supplicant allowed per port. multi-host: once the first host on a port is authenticated, all other downstream hosts are allowed without being authenticated (piggy-back mode). multi-supplicant: multiple separate supplicants are individually authenticated on one port. The command (entered in interface configuration mode for a physical port interface) is : awplus(config-if)# auth host-mode {single-supplicant|multihost| multi-supplicant} Page 6 | 802.1x Basic Steps in 802.1x Configuration This command controls how the switch deals with the situation where multiple authentication supplicants are downstream of a single port. This is possible if an EAP passes through a Layer 2 switch which has been connected to the port, and the supplicants are attached to that Layer 2 switch. Single supplicant The first option that the command can set is single-host. With this option, only one supplicant may be authenticated on the port. Once that host has been authenticated, no other supplicants may be authenticated until the first supplicant’s session has closed. This means, of course, that none of the other hosts downstream of the port will be able to send or receive traffic on that port. This option is recommended when you know that there should only be one host connected to a port. By limiting the port to a single authenticated host, you guard against the consequences of someone accidentally or maliciously connecting a downstream switch to the port. Multi-host The next available host-mode option is multiple host mode (chosen by the parameter value multi-host). With this mode, once the first host has been authenticated on the port, all other downstream hosts are allowed without being authenticated. This is sometimes known as piggy-back mode. It is useful when the downstream switch attached to the authenticating port is an intelligent switch that can act as an authentication supplicant. If you trust that malicious users cannot be connected to that switch but you do not know the identity of those users, then you can simply authenticate the switch and then allow its attached users to have network access. If the valid switch is disconnected and an invalid one is connected which is not configured with the correct authentication credentials, then the devices connected to the invalid switch will be blocked from accessing the network. Figure 5: Configuring 802.1x multi-host Switch or router that can act as 802.1x supplicant RADIUS Server Authentication Server x900 Switch Authenticator Hosts Once the supplicant switch/router is authenticated all traffic from these hosts is allowed 802.1x | Page 7 802.1x VLAN Assignment 802.1x VLAN Assignment Dynamic VLAN assignment Whilst the authentication of devices attaching to the network is primarily driven by security considerations, it has significant spin-off benefits. Once a device has been authenticated, the network knows the identity of the device and/or its user. Decisions can be made, based on this identity. In particular, it is possible to decide what network environment, and level of access, to present to this device and its user. The standard mechanism via which a user’s network environment is controlled is VLAN membership. Once a user’s packets are classified into a particular VLAN, the user’s access to the network will be controlled by the constraints that have been put on that VLAN throughout the network. For this reason, it is now common for LAN switches to have the ability to dynamically assign the VLAN into which a device’s traffic will be classified, once that device has been authenticated. Dynamic VLAN assignment is achieved by a collaboration between the authenticator (the LAN switch) and the authentication server (the RADIUS server). When the RADIUS server sends back a RADIUS accept message to the authenticator, it can also include other attributes in that message that identify a VLAN to which the authenticated device should be assigned. Dynamic VLAN assignment is a powerful extension to 802.1x, as it enables: Identity-based networking—the user gets the same environment no matter where they connect. Guest Access—guest users are allowed access to very limited parts of the network. NAC—level of access is based on a workstation’s security status. Figure 6: Dynamic VLAN assignment RADIUS access-accept message says “supplicant is accepted, put them into VLAN X” RADIUS Server Authentication Server x900 Switch Authenticator Supplicants Page 8 | 802.1x 802.1x Configuration Example Authenticator configuration In addition to the basic 802.1x configuration, some further configuration is required to enable Dynamic VLAN creation on the switch. The VLANs that can be dynamically assigned must be present in the VLAN database: awplus(config)# vlan database awplus(config-vlan)# vlan x awplus(config-vlan)# vlan y awplus(config-vlan)# vlan z awplus(config-vlan)# exit Ports that accept VLAN membership dynamically have to be enabled for dynamic VLAN creation: awplus(config)# interface port1.0.5 awplus(config-if)# auth dynamic-vlan-creation 802.1x Configuration Example The following example explains how to configure 802.1x. In this example, the RADIUS Server keeps the Client information, validating the identity of the Client and updating the switch about the authentication status of the client. The switch is the physical access between the two clients and the server. It requests information from the client, relays information to the server and then back to the client. To configure 802.1x authentication, first enable authentication on port1.0.1 and port1.0.2 and then specify the RADIUS Server IP address and port. Figure 7: 802.1x configuration example Client A port1.1.1 vlan 4 Client B 192.126.12.1 port1.1.2 Radius Server 802-1x_1.1 802.1x | Page 9 802.1x Configuration Example Table 2: 802.1x configuration on the switch awplus# configure terminal Enter the Global Configuration mode. awplus(config)# aaa authentication dot1x Enable authentication globally. default group radius awplus(config)# interface port1.0.1 Specify the interface (port1.0.1) to be configured and enter the Interface mode. awplus(config-if)# dot1x port-control auto Enable authentication (via RADIUS) on port1.0.1. awplus(config-if)# dot1x control-direction Block traffic in both directions, other than authentication packets, both until authentication is complete. awplus(config-if)# exit Exit the Interface Configuration mode and enter the Global Configuration mode. awplus(config)# interface port1.0.2 Specify the interface (port1.0.2) you are configuring and enter the Interface mode. awplus(config-if)# dot1x port-control auto Enable authentication (via RADIUS) on port1.0.2. awplus(config-if)# exit Exit the Interface Configuration mode and enter the Global Configuration mode. awplus(config)# radius-server host Specify the RADIUS Server address (192.126.12.1) and 192.126.12.1 auth-port 1812 authentication port. awplus(config)# radius-server key secret Specify the shared key secret between the RADIUS server and the client. awplus(config)# interface vlan4 Specify the vlan (vlan4) to be configured and enter the Interface mode. awplus(config-if)# ip address 192.126.12.2/24 Set the IP address on vlan4. Page 10 | 802.1x 802.1x Configuration Example Dynamic VLAN assignment with multiple supplicants In multi-supplicant mode, what happens if two supplicants downstream of the same port are assigned to different VLANs? The auth dynamic-vlan-creation command has two parameters that govern the operation in this situation: rule and type. The rule The first parameter is the rule parameter. parameter For SBx8100, SBx908 and x900 Series switches (the situation is different for the x210, x230, x310, x510, x600, x610 and x930 Series, as we will see below) it is not possible to assign different VLANs to untagged traffic from different supplicants. On the SBx8100, SBx908 and x900, dynamic VLAN assignment effectively says ‘the one untagged VLAN to be used on the authenticating port is VLAN x’. So, if the first supplicant is authenticated and assigned VLAN 45, then the authenticating port will classify all untagged traffic arriving on the port into VLAN 45. But if a second supplicant downstream of the same port then authenticates, and the RADIUS server assigns VLAN 56 to that supplicant, the switch then faces a dilemma. It is already using VLAN 45 as the untagged VLAN on that port; it cannot use VLAN 56 as well. There are two ways that the switch can resolve this situation. It can: 1. Allow the second supplicant to access the network, but assign its data to VLAN 45. 2. Block the second supplicant from having network access. The rule parameter configures which of these choices the switch will opt for. If rule is set to permit, then option (1) above is chosen. If rule is set to deny, then option (2) above is chosen. The type The second parameter is the type parameter. parameter The type parameter applies only to the x210, x230, x310, x510, x600, x610 and x930 Series switches. This is because these switches support MAC-based VLANs, whereas the x8100, x900 Series and SBx908 do not. The effect of the type parameter is to make use of the x210, x230, x310, x510, x600, x610 and x930 MAC-based VLAN support to provide a better solution to the case where different supplicants downstream of a single port are dynamically allocated to different VLANs. If type is set to the value single, then the MAC-based VLAN capability is not used, and the port’s behavior in the different-dynamic-VLANs situation will be controlled by the rule parameter. However, if type is set to multi, the switch brings the MAC-based VLAN capability into play. This capability enables it to support multiple different untagged VLANs on the same port. This is achieved by associating VLAN membership with the source MAC address of the incoming packets. So, when different supplicants downstream of a single port are dynamically assigned different VLANs, the switch simply builds a table that maps supplicants’ MAC addresses to their dynamically assigned VLANs. 802.1x | Page 11 802.1x Configuration Example The combination of these parameters results in three options for handling the case where different VLANs are assigned to supplicants on the same ports. Option 1 Deny access to supplicant assigned a different VLAN. If the first supplicant authenticated on the port is assigned VLAN X, then any supplicants subsequently assigned a different VLAN are denied access. This is the default state when dynamic VLAN creation is enabled. This is configured with: awplus(config-if)# auth dynamic-vlan-creation rule deny Figure 8: Deny access to supplicant assigned to a different VLAN 1. Supplicant accepted and assigned VLAN 10 2. Supplicant accepted and assigned to VLAN11. Authenticator allows access. Option 2 Force all supplicants into the same VLAN If the first supplicant authenticated on the port is assigned VLAN X, then any supplicants subsequently assigned a different VLAN are allowed access, but forced into VLAN X This is configured with: awplus(config-if)# auth dynamic-vlan-creation rule permit Figure 9: Force all supplicants into the same VLAN 1. Supplicant accepted and assigned VLAN 10 x900 Switch Authenticator 2. Supplicant accepted by RADIUS server and assigned VLAN 11. Authenticator allows access, but puts supplicant into VLAN 10. Page 12 | 802.1x 802.1x Configuration Example Option 3 Dynamically assign multiple VLANs to one port On the x210, x230, x310, x510, x600, x610 and x930 switches, it is actually possible to assign different VLANs to different supplicants downstream of the same port. This is configured with: awplus(config-if)# auth dynamic-vlan-creation rule permit type multi Figure 10: Dynamically assign multiple VLANs to one port 1. Supplicant accepted and assigned VLAN 10 x600 Switch Authenticator 2. Supplicant accepted and assigned to VLAN 11. Authenticator allows access and allocates this supplicant’s data to VLAN 11. The switch can assign VLAN membership to packets based on source MAC: Packets from MAC of supplicant 1 are assigned to VLAN10 Packets from MAC of supplicant 2 are assigned to VLAN11 This feature is not supported on SBx8100, x900 and SwitchBlade x908 switches. Using a guest VLAN Whilst you need to authenticate the users who will have access to the important services within your network, you might also want to provide some basic level of access to users who fail to authenticate. For example, visitors to an enterprise will often need to have Internet access. It would be desirable to have a secure, convenient way to provide this Internet access via the corporate LAN. By default, 802.1x denies access to users who fail authentication. Guests are not known to the RADIUS server, so fail authentication. The solution is to provide a Guest VLAN which is configured with: awplus(config)# interface port1.0.5 awplus(config-if)# auth guest-vlan <vlan id> 802.1x | Page 13 Verify the operation of 802.1x Figure 11: Using a guest VLAN Public/Private Zone x600 ACLs used to ensure GUEST VLAN traffic goes to the Internet and nowhere else Windows 2008 server Enterprise CA server Supplicant assigned to guest vlan AR770 x900 stack 8000GS Internet Private Zone Client devices 10/100 Link 1 Gigabit Link Link aggregation If a supplicant attempts authentication and fails or does not even attempt authentication (no 802.1x client in the PC) then they are dynamically assigned to the guest VLAN. Verify the operation of 802.1x When a supplicant has been authenticated on a port the details of the authentication can be seen with: show dot1x supplicant int port1.0.5 Interface port1.0.5 authenticationMethod: dot1x <--- Authenticated by 802.1x totalSupplicantNum: 1 authorizedSupplicantNum: 1 macBasedAuthenticationSupplicantNum: 0 dot1xAuthenticationSupplicantNum: 1 WebBasedAuthenticationSupplicantNum: otherAuthenticationSupplicantNum: 0 Supplicant name: Engineer01 <--- Supplicant name Supplicant address: <---MAC of authenticated device 0002.b363.319f authenticationMethod: 802.1x portStatus: Authorized - currentId: 9 abort:F fail:F start:F timeout:F success:T PAE: state: Authenticated - portMode: Auto PAE: reAuthCount: 0 - rxRespId: 0 PAE: quietPeriod: 60 - maxReauthReq: 2 BE: state: Idle - reqCount: 0 - idFromServer: 8 CD: adminControlledDirections: both - operControlledDirections: both CD: bridgeDetected: false KR: rxKey: false KT: keyAvailable: false - keyTxEnabled: false dynamicVlanId: 20 <--- VLAN assigned, if dynamic VLA assignment enabled Page 14 | 802.1x When a supplicant has been authenticated, and assigned to a VLAN, the port they authenticated on will then be seen to be a member of that VLAN. show vlan 20 VLAN ID Name Type State Member ports (u)-Untagged, (t)-Tagged ======= ================ ======= ======= ====================== 20 Engineering STATIC ACTIVE port1.0.5(u) show vlan 30 VLAN ID Name Type State Member ports (u)-Untagged, (t)-Tagged ======= ================ ======= ======= ====================== 30 Marketing STATIC ACTIVE port1.0.5(u) Names of commands used dot1x port-control radius-server host radius-server key Validation commands show dot1x show dot1x interface C613-22005-00 REV A North America Headquarters | 19800 North Creek Parkway | Suite 100 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895 Asia-Pacific Headquarters | 11 Tai Seng Link | Singapore | 534182 | T: +65 6383 3832 | F: +65 6383 3830 EMEA & CSA Operations | Incheonweg 7 | 1437 EK Rozenburg | The Netherlands | T: +31 20 7950020 | F: +31 20 7950021 alliedtelesis.com © 2015 Allied Telesis Inc. All rights reserved. Information in this document is subject to change without notice. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners.